Annex 1 —- Corporate Risk Register Updates since November 2020. 


Risk number and title | Risk score Risk score Notes 
as at Nov as at Nov 
2020 2021 


R4: Capacity and 20 (red) 20 (red) The description of this risk has been amended slightly to 
Capability add references to insufficient capability, knowledge and 
skills to the threat identified, to ensure that it covers the 
full range of capacity and capability risks. 


R73: Compliance 16 (red) 16 (red) This was briefly reduced to 9 (amber) to reflect the deep 
Culture dive conducted for Audit Committee into the lines of 
defence we have in place to ensure we deliver all of our 
statutory obligations. This work indicated that we had a 
good level of compliance and lines of defence to ensure 
future compliance. However, further assurance is needed 
to ensure that all of these compliance arrangements are 
operating as designed. 


O3: Expectations gap No significant changes. 


R46: Financial 16 (red) This risk typically reduces during Q2 and Q3 of financial 
resilience years as there is more budget certainty, but increases 
during Qi and Q4 to reflect the increased risk at these 
times. However, due to the unique budget conditions 
during 2020/21 due to the pandemic and the Companies 
House campaign, this risk was at a relatively high score as 
at November 2020. The score remained high until the end 


Risk number and title | Risk score Risk score Notes 


as at Nov as at Nov 
2020 2021 


of Q2 2021/22, when we had more certainty on the 
deliverability of the 2021/22 budget. 


R84: Major incident 15 (red) The score was reduced as the learning from the COVID-19 
business continuity event has allowed us to improve 
business continuity practices and test our responses ina 
live environment. As such, the likelihood of a business 
continuity event has reduced. 


R85: Managing ICO 
reputation 


While the current score has not changed, the target score 
was increased from 4 to 6, to reflect the number of 
external variables that are beyond our control in this area. 


R2: Service Excellence The risk was converted to an opportunity to reflect the 


progress with the Service Excellence programme, as the 
focus changed from risks of the changes to maximising 
exploiting the benefits of it. Opportunities are scored 
opposite to risks (a low score for an opportunity is bad and 
reflects the risk of opportunity not being exploited. 
Therefore the score is functionally unchanged. An update 
has been proposed to the December Risk and Governance 
Board (RGB) meeting to increase the opportunity score to 
9 (amber) to reflect the delivery of planned actions within 
the Service Excellence programme. 


O2: Service 
Excellence 


R61: Litigation 
resource 


No significant updates. 


R72: SMEs While the current score is unchanged, the target score has 
increased to reflect the increased income requirements 
from this sector associated with collection of DP Fees/ This 


was also retitled from SMOs (Small and medium sized 


Risk number and title | Risk score Risk score 
as at Nov as at Nov 
2020 2021 


R87: International 
position 


R29: Technology 
relevant regulator 


R89: Compensation 


R83: Staff wellbeing 
and welfare 


R10: Statutory Codes 


R88: Future role of 
the ICO 


Notes 


organisations) to SMEs (Small and medium sized 
enterprises) to reflect preferred phrasing. 


The description of this risk was amended to reflect the end 
of the EU exit transition period, as that is no longer 
relevant context for the risk. The score was reduced to 
reflect UK adequacy being approved by the EU. 


This risk was combined with R4 (Capacity and Capability) 


The description of this risk was amended to explain that 
the impact is the public not seeing the ICO as a relevant 
regulator if it is not able to provide compensation. 


The score of this risk increased from 12 to 16 (red) 
towards the end of 2020, to reflect the increased staff 
wellbeing concerns surrounding the COVID-19 pandemic. 
Following our most recent staff survey during autumn 
2021, the score decreased to 12 to reflect evidenced 
improvements in staff wellbeing as the pandemic eases. 
This will be kept under close review. 


Following the delivery of the Children’s Code, it was 
agreed to remove this risk from the corporate register and 
replace it with risks for each of the individual Codes on 
relevant Directorate risk registers. This reflects that each 
of the Codes are at different stages and have different 
risks. 


The description of this risk was updated slightly to include 
internally-driven restructures, which could have an impact 
on external perceptions of the ICO’s role. 


Notes 


Action 


R91: Targeted 
Regulatory Activity 


R81: Management 
Board resilience 


R26: Improving 
productivity 


R92: ICO guidance 


R71: Online Harms 


Risk number and title | Risk score Risk score 
as at Nov as at Nov 
2020 2021 
R90: Regulatory N/A 


These risks were added during the year to ensure that 
there was appropriate reflection of our regulatory activities 
on the risk register, particularly in the context of achieving 
Goals 5 and 6 of the IRSP. 

A couple of amendments have been proposed to these 
risks, which will be considered by RGB in December. 

- R90: Reduce current risk rating to 9, as the controls 
and methodologies that are currently in place 
provide added assurance on processes and 
accountability of decision making and thereby 
reduces the likelihood of the risk. Retitle this risk 
Regulatory Action and Activity. 

- R91: Remove from the corporate risk register and 
move this to the relevant Directorate Risk Registers. 


No significant changes. While this has been a key area of 
interest throughout the last year of Elizabeth Denham’s 
term as Commissioner, the risk has been closely managed 
and mitigated. 


No significant changes. 


This risk was created to replace R10 (Statutory Codes), 
and reflects the work that has been done to ensure that 
we produce high quality guidance that meets the expected 
standards from data controllers and Government. 


Risk number and title 


Risk score Risk score 
as at Nov as at Nov 


regulation 


2020 2021 
O71: Online Safety N/A 
R93: Online Safety N/A 
R21: Cyber Security 
R86: Political 
environment 
R76: Cyber-security N/A 


Notes 


The original R71 risk has moved between a risk and an 
opportunity over the last couple of years, depending on 
the key issues at the time. However, following the 
publication of the draft Online Harms Bill, this was divided 
into a risk (R93) (primarily relating to potential confusion 
about the ICO’s regulatory role in this area) and an 
opportunity (O71) (primarily relating to building on our 
strong relationships with other regulators to deliver in this 
area). The draft Bill crystalised the risks in this area, so 
the score of the risk increased slightly. 

A proposal has been made to the December meeting of 
the RGB to remove O71 from the corporate risk register 
and manage this through Directorate risk registers. 


No significant changes. 


No significant changes. 


This risk was combined with the new regulatory action risk 
(R90). 


A heat map showing the scoring changes visually is provided on the next page. 


e R4: Capacity and 
Capability 

e R21: Cyber Security 

e R26: Improving 


productivity 

e R46: Financial 
Resilience 

e R61: Litigation Resource 

e R72: SMEs 

e R73: Compliance 
Culture 


e R81: Management 
Board Resilience 

e R83: Staff Wellbeing 

e R84: Major Incident 

e R85: Managing ICO 
Reputation 

e R86: Political and 
Economic Environment 

e R87: International 
Position 

e R88: Future Role and 
structure of ICO 

e R89: Compensation 

e R90: Regulatory Action 

e R91: Targeted 

Regulatory Activity 

R93: Online Safety 

O3: Expectations Gap 

O2: Service Excellence 

O71 Online Safety 


Likelihood/ probability 


Medium High Very high 
Impact 


Note: scores for opportunities are the inverse of scores for risks and should travel from low to high as the 
opportunity is exploited. So opportunities in the green section of the heat map are being exploited poorly and 
opportunities in the red section are being exploited well. 


